Top Brands

All You Need to know about "WannaCry Ransomware"

Attack Variants First Variant: .WCRY Second Variant: .WCRY (+ .WCRYT for temp) Third Variant: .WNCRY (+ .WNCRYT for temp) Who does it affect Any Windows computer without Windows Patch MS17-010. What to do Apply patch Microsoft MS17-010 immediately The background Current analysis says “WCry” Ransomware sometimes also know as WannaCry, WanaCrypt0r, WannaCrypt, or Wana Decrypt0r is version 3.0 is being spread very heavily in last 2 days, and I am sure, we will be seeing a lot of victims in the coming days. This ransomware displays a lock screen before the victim, encrypts the files and asks for ransom. The screen can only be decrypted after paying the ransom of 300 to 600 USD.

It started with the group “The Shadow Brokers (THB)”, which first appeared in the early summer 2016 and released a set of windows-related exploits in April 14 2017 on auction.

Out of that bucket, an exploit via SMB (Server Message Block) for Windows hosts (Windows 8 & Windows Server 2012), was published under the name " EternalBlue".

Microsoft and Cisco released fixes for “"ETERNALBLUE" in the month of March 17 as a critical security update- Microsoft Security Bulletin MS17-010 and snort rule under SID 41978 respectively. However, it appears many organizations have not yet installed the patch.

Therefore, it is important to consider that all Windows computers exposing their SMB services can be remotely attacked with the “EternalBlue” exploit if left unpatched.

Sources also mentioned that 'The Shadow Brokers' used twitter accounts to provide dumps access (exploits/tools) for targeting the SWIFT banking system of several banks across the world. The list of all files contained in the dump are available at Git here.

WCry attack used remote code execution through the very same bug in Microsoft made available via “EternalBlue” exploit.

Attack Analysis

WannaCry is getting too much interest by the security professional across globe, as it a piece of unique work- one single package containing Ransomware, Malware and a Wrom all together. An attacked may choose different vectors to establish the attack. It may start with a simple spam email or direct exploit on the target IP address or Servers.

In both the scenarios, attackers uses "mssecsvc.exe" files to drops and executes its payload "tasksche.exe". This very exe tests the kill switch domains making sure and a new mssecsvc2.0 service is created making sure malware persistance.

Further tasksche.exe service executes "mssecsvc.exe" from a alternate entry than the initial execution one. Service checks the IP address of the victim machine and attempts to connect each host/IP address in the same subnet on TCP Port 445 (SMB). Upon malware successful connection to the victim machines, a connection is initiated and payload is transferred.

The malware uses "EtenralBlue" exploits on SMB vulnerability (already addressed by Microsoft- MS17-010) and try to implant a backdoor "DOUBLEPULSAR". Further, this very backdoor is used in execution of WANNACRY on the new target victim system.

How does it start Assuming "WCry” Ransomware starts with a spam email, which includes malicious link or a malicious document. Upon clicked or opened by the target user, the malware holds the user’s computer as hostage until the ransom is paid.

Malware encrypts all files of the system with a private encryption key, and the key is only made available after the ransom is paid.

Ransomware usually requests for 300 or 600 U.S. dollars in Bitcoin (cryptocurrency) along with the wallet.

Ransomware also informs the target victim using Read Me file.

Till here, it was level 1 only. Level 2 starts when a system is part of an enterprise wide network. Eventually, all systems left unpatched for MS17-010 patch become vulnerable and get infected.

Few of the important properties of malware files used by WCry are of the version info stolen from random Microsoft Windows 7 system tools.

Most Effected Countries Among the worst-hit from this massive ransomware are National Health Services (16 medical Institutions) in England and Scotland. The operations of FedEx, a global delivery company, Spanish multinational Telefonica is also affected as the cyber-attack wreaked havoc.

Russia’s interior ministry showed promptness in dealing with cyber-attack, and saved thousands of its computers and sensitive data from malware attack. India is also among the hit hard list as a wide population still uses Windows XP platform.

China is yet to make an official comment over the incidences of virus-infected computers and damages caused due to the latest cyber threat.

How to Mitigate Risk

Install the official patch (MS17-010) from Microsoft to close the vulnerability. List of patches for rest of the OS are available at Microsoft releasing security patches.

Scan all systems. After detecting the malware attack as MEM: Trojan.Win64.EquationDrug.gen, reboot the system.

Isolate infected devices immediately by removing them from the network as soon as possible to prevent ransomware from spreading to the network or shared drive

Kalpana Araya
Kalpana is an inquisitive tech enthusiast who loves reading & writing everything under the sun. Currently writing for Tech, SAAS, IT Hardware and Software products. She is a Digital expert with 5+ years of experience in the industry.

Techpillar.com

At TechPillar you can browse, compare, evaluate technology products on a single platform without going to multiple OEM's website. You can easily search products and narrow down your requirement with the specifics. Through our handy featured filters you can refine your search and choose the right product suiting the business requirement. Products are listed with detailed overview, warranty details, licensing information and full length of specifications. With quick comparisons you can view products from different OEM products compared in a single pane.

Check out our knowledge base with latest articles, as they help you spot the latest must-haves and the savviest steals. Or participate in our Blogs section to get answers to your open queries.

Buying, Implementation, AMC, Support services, Best price, Right system integrator ? be rest assured, we have an authorised partner base who would help you close your requirements in much professional way. Also, you will he hand holded by TechPillar team till the closure of your requirement.

You can reach out to us for any of your IT infra requirement and we can help you get the right solution with best quote.